See the example of IPv4 and IP Labelled traffic that traverse beetwen ASBR routers below. Note that IPv4 is only BGP communication, and the remaining traffic is telnet or icmp traffic that has been labelled.

2. Securing MP-EBGP Peering Session

Use BGP MD5 Authentication to ensure that the BGP peer is the legitimate neighbor.

neighbor 172.16.0.1 password 7 011A08105E19071C

Use BGP TTL-Security with number of hop is 1. The BGP peering session between ASBRs usually using the back-to-back interface.

neighbor 172.16.0.1 ttl-security hops 1

Both ASBR did not communicating ini IPv4 (except BGP communication), so we must turn-off the IPv4 BGP Address-family

no bgp default ipv4-unicast

Use BGP Dampening to secure the ASBR CPU from frequently flapped routes

bgp dampening

Filter the Route-Target. Only allows Route-Target that need to extend across the AS. Disable BGP default RT filter to allow VPNv4 routes installed in the BGP VPNv4 table even the Route-Target is not configured on the ASBR.

There are a requirement from one company, who want to connect their sites that connected to the different ISP MPLS VPN. To fulfill the requirement, the two ISPs need to interconnect their MPLS Autonomous Systems. For this purpose, we can use a few method below:

Back to back VRF

VPNv4 MP-EBGP

VPNv4 MP-EBGP between RR

The easy method and less security impact, is back to back VRF connection, but it is not scalable. The VPNv4 MP-EBGP without or with RR as ASBR, is more scalable, but need deeply security concern.

In this article, we will not discuss about how to secure the inter-AS MPLS connection (i hope i will cover it in the next article). We just highlight the mandatory configuration between the two ASBRs to provide the inter-AS MPLS connection.

Here are the connection diagram:

Here are the important configuration on the PE-ABC-1 and PE-XYZ-1 for the interface and VRF. For example we use vrf Company. We don’t use CE routers, instead just loopback interfaces at the PEs acting like the interface that facing to the CE router:

Note that because we don’t configure the vrf, rd and the route-target in the two PE-ASBRs, we need to turn off the BGP route-target filter, so we can receive the vpnv4 routes. We use “no bgp default route-target filter” command.

About Me …

Irwan Piesessa, born in Jakarta 27 years ago. passing CCIE Routing and Switching ( #20298 ) certification just now in the early of 2008. Want to be a specialist in Service Provider Technology and Network Security Field...